Joint industry letter to European Banking Authority on SCA and CVV authentication factors

Dear Mr. Enria,

We are writing to you with regards to the Regulatory Technical Standards for strong customer authentication (“SCA”) and common and secure open standards of communication (“RTS”) under PSD2. We fully support the aims of PSD2 and the RTS to ensure fair competition, innovation and security in the payment services sector. However we continue to have serious technical concerns on the definition of authentication factors as defined in the Opinion of the European Banking Authority on the implementation of the RTS (EBA-Op-2018-04) published on 18 June 2018.

The EBA wrote: Given that knowledge is defined as ‘something only the user knows’, the card number with CVV and expiry date printed on the card cannot be considered a knowledge element. This is also the case for a user ID. For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.

Whilst we agree that the card number with CVV is a questionable authentication factor on its own, the whole purpose of strong customer authentication is to layer the level of security with two or more independent factors and it is that layering approach alongside the fraud checks that are performed which makes SCA secure.

For remote commerce, as an example, the combination of knowing the card number, CVV and possessing a onetime
password delivered to a personal device is a very effective authentication method; knowing that authentication only takes places after a background transaction risk analysis where multiple fraud checks are performed behind the scene, which will be greatly enhanced with the new version of 3DS that we are deploying.

For transactions that are authenticated today using 3DS, with card details and one time passcode as the authentication factors, the fraud rate is less than 6 BPS.

We are committed to evolve authentication to include new technologies such as biometrics, however it would be challenging for issuers to deploy such new authentication methods before 14 September 2019 as we would be relying heavily on a positive consumer adoption. No prior recommendation, guidelines or consultation has prepared the industry for this very complex step change. For example, not all devices have biometric hardware and not all consumers have access to them.

The EBA’s disapplication of card number with CVV and expiry date as a ‘knowledge’ factor will have disastrous effect on remote commerce and will adversely impact customers, retailers and all stakeholders of the payment ecosystem by introducing unnecessary friction and abandonment at checkout.

For the reasons outlined above, we strongly appeal to the EBA to revise their opinion to keep card number and CVV as a valid authentication factor and phase it out within the next three years to allow time for the industry to deploy alternative authentication methods without disrupting payments. We would welcome further discussions on this important topic should the EBA so wish.